As a Java zero-day spreads, disclosure questions arise

A zero-day Java exploit is growing more prevalent now that it has been added to the BlackHole exploit kit, a popular, commercially available framework for delivering web attacks.

Kurt Baumgartner, a senior security researcher at security firm Kaspersky Lab, said Tuesday in a blog post that infections are becoming more common, spreading from their initial starting point in China to computers in the United States, Russia, Belarus and Germany, among other nations.

News of the ramp-up in attacks comes as researchers at penetration testing company Immunity disclosed Tuesday that the exploits actually are taking advantage of two unpatched vulnerabilities in Java 7 -- not just one, as originally was believed.

"[O]ne is used to obtain a reference to the "sun.awt.SunToolkit"class, and the other is used to invoke the public "getField" method on that class," Immunity developer Esteban Guillardoy wrote in a technical analysis of the bugs.

Every major browser is susceptible to the attack.

Nearly all security experts recommend that users disable or uninstall Java in the browser to protect themselves. For those still desiring to run the software platform, nonprofit DeepEnd Research has created an unofficial patch, and it is available upon request.

The zero-day also has reignited debate around vulnerability disclosure practices. Some in the security community are upset that researchers publicly linked to the exploit code -- it also was added to the Metasploit pen testing framework -- while others believe the full disclosure will force Oracle to act quickly to fix the issue. The company next is scheduled to release Java security updates Oct. 16.

An Oracle spokesman did not immediately respond to a request for comment.

Get SC Media delivered to your inbox

SC Media Featured White Paper of the Day

SC Media Newswire

SC Media Product/Industry Buzz

I would like to receive relevant information via email from Haymarket Media.

SC Media arms cybersecurity professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.